So no big surprise here, malware is getting more malicious! It’s good to know though and it’s good that companies out there like Messagelabs, under the watchful eye of Symantec, are trying to measure what is going on in malware land.

The malware/worm landscape has always been a fast moving one and my guess is it’s only going to get faster as more of the World gets an Internet connection, a basic grasp of coding and a greed to scam money from people.

A decade after the Love Bug virus attacked millions of computers worldwide and put the Philippines in the IT world map in a negative way, computer security experts have noticed that today’s computer attacks are more malicious than the original computer security threat. In its April 2010 security report, Symantec said it has detected 36,208 unique strains of malware that were designed to carry out targeted attacks.

MessageLabs, which was acquired by Symantec later, was the first one to raise the alert on the Love Bug virus, which was designed to overwrite and destroy data. The virus came in the form of a message attachment when, once opened, sent itself to the addresses of the email recipient and spread on from there.

Ten years since Symantec Hosted Services, then MessageLabs, intercepted 13,000 copies of the virus in a single day on 4 May 2000, MessageLabs Intelligence said it now stops 1.5 million copies of malicious e-mails each day.

The latest is that the malware of today is more malicious than the infamous ILOVEYOU worm that broke out 10 years ago in the year 2000.

You can see the jump is scales though, from 13,000 in a day to 1.5 million in a day. I still tell people the reason we need such vast storage clouds and such fast Internet connections is because of only 2 things – porn and spam.

It seems the dynamics have changed too, the bad guys are no longer writing mass spreading spammy malware – but sending much more malicious and highly targeted viruses.

“Although mass mailing viruses like the Love Bug are rare today, cyber criminals’ techniques have evolved to more malicious, highly targeted attacks and they are motivated less by achievement and credibility than by financial gain and identity theft,” Symantec said in a statement. “On 4 May, 2000, 1 in 28 e-mails contained the Love Bug virus. By comparison, 1 in 287.2 e-mails contained a virus on 9 April 2010, the peak for April. In April 2010 overall, MessageLabs Intelligence intercepted 36,208 unique strains of malware.”

“The Love Bug was operating in the wake of the Melissa virus, a similarly destructive worm from the previous year,” said MessageLabs Intelligence senior analyst Paul Wood. “Back then, users were less savvy, regarding the dangers posed by suspicious e-mail attachments and e-mails from unknown senders. The general public was also less aware of issues such as spam and denial of service attacks.”

The April 2010 MessageLabs Intelligence Report also revealed that Rustock has surpassed Cutwail as the biggest botnet both in terms of the amount of spam it sends and the amount of active bots under its control.

Botnet dynamics have also shifted a bit with Cutwail being knocked off the top spot and replaced by Rustock.

Rustock was knocked back a while ago and the Next-gen botnets were touted to replace it along with Srizbi.

Source: Network World

Back in November there was a considerable drop in Spam when Spam friendly ISP McColo was cut off from the Internet by it’s upstream peer.

Srizbi worm was pretty smart though and was picking up again by the end of November. Later in the year the botnets were somewhat neutralised leading to a huge drop in spam.

But now, they are back – re-engineered – and ready to spam without going down again.

The demise late last year of four of the world’s biggest spam botnets was good news for anyone with an email inbox, as spam levels were cut in half – almost overnight. But the vacuum has created opportunities for a new breed of bots, some of which could be much tougher to bring down, several security experts are warning.

New botnets with names like Waledac and Xarvester are filling the void left by the dismantling of Storm and the impairment of Bobax, Rustock, and Srizbi, these researchers say. The new breed of botnets – massive networks of infected Windows machines that spammers use to blast out billions of junk messages – sport some new designs that may make them more immune to current take-down tactics.

Waledac is a good example. It appears to be a complete revision of Storm, that includes the same state-of-the-art peer-to-peer technology and fast-flux hosting found in its predecessor, according to researcher Joe Stewart of Atlanta-based security provider SecureWorks. But it differs from Storm in one significant way: Weak encryption protocols, which proved to be an Achilles Heel that led to its downfall, have been completely revamped

That’s one problem with attacking these botnets and the malware behind them, the people doing it aren’t kids having fun. They are business syndicates making serious money, so whatever you do – they are going to learn from it and adapt their software and methods to circumnavigate it.

That’s what seems to be happening now with Waledac, a new re-engineered version of Storm with stronger encryption protocols. They learnt from their mistakes and released a new, updated and more powerful version.

What amazes me is that in the Xarvester malware, it actually makes use of the Windows crash reports – sending them to the developers to make the bot more stable!

“Several researchers are actively studying the communications, but I don’t know if and when it will be broken and hijackable,” said Jose Nazario, a security researcher at Arbor Networks. “The guys behind the botnet seems intent on staying up and so evading researchers seems like the most appropriate thing to do.”

Waledac has amassed some 10,000 zombie computers so far, a tiny fraction of the bigger botnets. But Stewart expects it to be a major player in the coming months. Meanwhile, a spam botnet called Xarvester is making similar inroads. It is the world’s third-biggest spammer, accounting for over 13 percent of the world’s spam, according to Marshall. What’s more, its uncanny resemblance to Srizbi has sparked suspicions it is a reincarnation of that notorious botnet. Similarities include an HTTP-based command and control center that uses non-standard ports, encrypted template files used to send spam and configuration files with the common formats and data.

It also has a sophisticated feedback system that helps bot developers squash bugs so the software is harder to detect on a victim’s machine.

“Just like Srizbi, Xarvester has the ability to upload the Windows minidump crash dump file to a control server in the event that the bot crashes a system,” according to this analysis from Marshall. “This is presumably to help the botnet controllers debug their bot software.”

It seems like Xarvester has some uncanny resembelances to Srizbi too, so maybe it’s a new updated release from the same group which fixes the flaws that made Srizbi fail in the long term.

The infection rates for these bots are quite low currently, but due to the new measures the developers have taken they are likely to gain many more infections and be much harder to remove/detect and stop.

Source: The Register